Hello everyone! I am absolutely thrilled about the new features we are deploying with Genesys Dialog Engine Bot Flows. The natural language understanding is phenomenal. However, I am hitting a major roadblock regarding GDPR compliance. We are attempting to build a custom analytics dashboard to track intent success rates and slot filling drop-offs using the /api/v2/analytics/bots/aggregate endpoint. The problem is that some of our conversational slots capture sensitive customer data. I am noticing that raw user utterances sometimes leak into the analytics extracts before our external PII redaction pipeline can process them. Has anyone successfully implemented a real-time mask on bot session transcripts so that the analytics payloads are sanitized before they are stored in a reporting warehouse? I am eager to see how others are solving this!
I ran into something very similar last quarter. We had a huge issue with remote agents on VPNs where our network sniffers were catching unencrypted SIP traffic before the TLS negotiation completed. For the bot flows, you cannot easily intercept the API payload mid-flight.
Instead of pulling the raw bot aggregate endpoint directly, we started using an AWS Lambda middleware. Basically, we subscribe to the EventBridge topic v2.detail.events.conversation.{id}.bot.session and run a regex scrubber there.
It is a bit of a workaround, but it allows us to sanitize the JSON before pushing it to our reporting bucket.
The EventBridge approach introduces unnecessary latency. If your primary reporting consumption is through an external CRM like Salesforce, you should handle the masking natively within Architect. We map bot intent data directly to custom Salesforce Task object fields when the interaction ends using the managed package.
Do not rely on the raw transcript API for aggregate reporting. Instead, configure Secure Data Variables in your Architect Bot Flow.
If a slot or variable is marked as secure, its value is masked in the standard analytics API payloads automatically. This ensures compliance without requiring middleware.